Heriplor

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Heriplor, a notable threat actor in the cybersecurity landscape, has been associated with multiple malicious campaigns involving the use of advanced Trojans. The entity is particularly linked to the Dragonfly 2.0 campaign, where it utilized both the Heriplor and Karagany Trojans, which were also employed in earlier Dragonfly operations between 2011 and 2014. This suggests a persistent and evolving threat, given the reuse and refinement of these tools across different cyber-espionage campaigns. As per the analysis conducted by CTU researchers, there is no evidence indicating that other threat actors have used Havex or Heriplor, suggesting that these tools are unique to this specific threat actor. This exclusivity further underscores the sophistication and distinctiveness of Heriplor's operations, making it a significant concern for entities aiming to secure their digital environments against such advanced threats. Further investigation into Heriplor's activities revealed intriguing connections to the IRON LIBERTY Havex second-stage malware sample from 2014. Both Heriplor and this Havex sample wrote identical files and shared a command and control (C2) server. These similarities suggest that Heriplor was likely developed from the Havex code base, indicating a continuous evolution and adaptation of its methods over time. This revelation highlights the need for constant vigilance and updated defensive measures to counteract such adaptable and enduring threats.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Havex
1
Havex, also known as Dragonfly or the Energetic Bear RAT, is a prominent threat actor in the cybersecurity landscape. First spotted in 2013, Havex was part of a broad industrial espionage campaign that specifically targeted Supervisory Control and Data Acquisition (SCADA) and Industrial Control Syst
IRON LIBERTY
1
Iron Liberty is a threat actor group that has been active since at least 2010, as per the timeline of activity observed by CTU researchers. The group specializes in cyber espionage and has been particularly focused on targeting Industrial Control Systems (ICS) companies within the energy sector. Iro
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DragonflyUnspecified
1
Dragonfly is a notable threat actor known for its malicious activities in the cybersecurity landscape. This group has been particularly active in targeting the energy sector across various countries, including the United States, Switzerland, and Turkey. The tactics employed by Dragonfly often involv
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Iron Liberty HavexUnspecified
1
None
Source Document References
Information about the Heriplor Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Resurgent Iron Liberty Targeting Energy Sector
MITRE
a year ago
Dragonfly: Western energy sector targeted by sophisticated attack group